Singapore: Private Organisations Must Stop Using NRIC for Authentication from 2027

NRIC is NOT an authentication tool

From 1 January 2027, all private organisations in Singapore must completely cease using National Registration Identity Card (NRIC) numbers — whether full or partial — for identity verification purposes.

The Personal Data Protection Commission (PDPC) will step up enforcement and may issue directions or financial penalties against non-compliant organisations.

This move is part of Singapore’s broader efforts to strengthen personal data protection and cybersecurity.

---

Why This Matters to Businesses

Organisations are expected to proactively review and update:

• IT systems and databases

• Customer login and authentication processes

• Internal operational workflows

• Data protection and compliance frameworks

Continued reliance on NRIC for authentication may be regarded as a failure to implement reasonable security arrangements, potentially constituting a breach of the Personal Data Protection Act (PDPA).

---

Key Compliance Timeline

? By 31 December 2026

• Private organisations must progressively stop using NRIC numbers (full or partial) for verification

? From 1 January 2027

• PDPC will formally enhance enforcement

• Non-compliant organisations may face regulatory action

---

Government & Regulatory Position

Public Sector

• Government agencies have already fully ceased using NRIC for authentication

• This reduces the risk of unauthorised access and misuse

Sector Regulators Have Issued Clear Guidance

• IMDA – Telecommunications

• MAS – Financial and insurance sectors

• MOH – Healthcare sector

Regulated entities are required to stop using NRIC numbers for authentication entirely.

---

Banking & Financial Sector Practices

The Association of Banks in Singapore has confirmed:

• Banks are aligned with PDPC and MAS guidelines

• NRIC alone cannot be used to conduct any financial transaction, including payments or transfers

Most banks have already stopped using NRIC numbers for:

• Opening encrypted email attachments

• Customer verification processes

Any remaining use cases are expected to be phased out in the coming months.

---

Compliance Risk Under PDPA

From 2027 onwards, continued use of NRIC numbers for authentication may be viewed as:

• Failure to implement reasonable security measures

• A breach of the Personal Data Protection Act

PDPC may:

• Issue corrective directions

• Impose financial penalties

---

Background: Lessons from the Bizfile Incident

Public concern intensified following the 2024 Bizfile incident, where:

• Users were temporarily allowed to retrieve full NRIC numbers through name searches

Following public backlash:

• The search function was suspended

• Upon reinstatement, NRIC numbers were no longer displayed for free searches

Government Clarification

• NRIC numbers should not be widely disclosed

• Stopping partial masking does not mean unrestricted use

• NRIC should never be used for authentication or as passwords

A review committee has since been established to address systemic gaps and strengthen safeguards.

---

Conclusion

NRIC numbers are not authentication credentials
From 2027, continued use presents clear legal and enforcement risks

For organisations, this is more than a compliance requirement — it is an opportunity to enhance data security, system design, and customer trust.